Dirty Frag: Using the Page Caches as an Attack Surface

Summary

Dirty Frag is a Linux local privilege escalation chain disclosed on May 7, 2026, combining two previously unknown kernel vulnerabilities (CVE-2026-43284 in xfrm-ESP and CVE-2026-43500 in RxRPC) that allow unprivileged users to escalate to root on major distributions. The attack exploits a zero-copy send path flaw that plants attacker-controlled pages into kernel data structures, enabling in-place writes to memory the attacker should not have access to. The exploit operates entirely in the page cache (RAM), making it invisible to file-hash-based security tools until the system reboots or caches are dropped.

Full text

Table of ContentsThe Dirty Pipe Connection:CVE-2026-43284: xfrm-ESP Page-Cache WriteCVE-2026-43500: RxRPC Page-Cache WriteThe Security Blind Spot:Affected Versions:Qualys QID CoverageRemediate at Scale With TruRiskEliminate Dirty Frag is a Linux local privilege escalation (LPE) chain published on May 7, 2026. It combines two previously unknown kernel vulnerabilities can allow an unprivileged local user to escalate to root on many major Linux distributions. xfrm-ESP Page-Cache Write (CVE-2026-43284) RxRPC Page-Cache Write (CVE-2026-43500) As of May 8, 2026, CVE-2026-43284 had been patched in mainline Linux, while public reporting indicated that CVE-2026-43500 did not yet have patches available. The Dirty Pipe Connection: Dirty Frag is the third discovery of a bug class that all share similar logic. A zero-copy send path plants an attacker-controlled or attacker-readable page into a kernel data structure as a raw reference. A downstream consumer assumes that buffer is privately owned by the kernel and performs an in-place write. The attacker controls where that write lands, in a page they only had read access to. BugYearSinkPrimitiveDirty Pipe (CVE-2022-0847)2022struct pipe_bufferPage-cache overwrite via stale PIPE_BUF_FLAG_CAN_MERGECopy Fail (CVE-2026-31431)Apr 2026algif_aead TX SGL4-byte STORE during crypto_authenc_esn_decrypt() byte rearrangementDirty Frag (CVE-2026-43284, CVE-2026-43500)May 2026frag of struct sk_buff4-byte STORE (ESP) and 8-byte STORE (RxRPC) into nonlinear skb frag Dirty Frag exists on the receive side of a network protocol that performs in-place crypto on skb_shinfo(skb)->frags[]. Since splice_to_socket() automatically sets MSG_SPLICE_PAGES, a page cache page that the attacker only has read access to gets pinned into frags[0] as-is. The receiver-side kernel then does its in-place STORE on top of it. CVE-2026-43284: xfrm-ESP Page-Cache Write Registering an XFRM SA needs CAP_NET_ADMIN privileges, which means the attacker has to first create a new user namespace via unshare(CLONE_NEWUSER | CLONE_NEWNET). On distributions that allow unprivileged user namespaces (RHEL, Fedora, openSUSE, AlmaLinux), this is easily achieved. However, on systems like Ubuntu, AppArmor sometimes blocks unprivileged user-namespace creation. This is exactly why the second CVE in the chain exists. CVE-2026-43500: RxRPC Page-Cache Write The publicly available exploit’s chosen target is /etc/passwd line 1. In this implementation, 12 bytes forces a rewrite via three sequential 8-byte STOREs to produce an empty password field for root. Successful exploitation then leads to simply using a “su –“ without a prompt. Moreover, this vulnerability requires normal user privileges alone. add_key(“rxrpc”, …), socket(AF_RXRPC), socket(AF_ALG), splice(), and recvmsg() are all unprivileged APIs. Hence, no user-namespace creation is needed. This is why the Dirty Frag exploit chain works on hardened Ubuntu systems even where ESP is blocked. The Security Blind Spot: The Dirty Frag exploit does not touch any files on a hard drive. Security tools that depend on hashing the file on a disk will not detect a Dirty Frag exploitation, as the malicious cache exists only in RAM. Furthermore, the page cache is contaminated until either “echo 3 > /proc/sys/vm/drop_caches” runs or the system reboots. The drop_caches command frees the Linux kernel’s page cache, dentries, and inodes and is often used in testing or debugging to simulate a “cold cache” state without rebooting. If the threat actor is able to corrupt /usr/bin/su, it effectively remains available for execution until reboot, serving as a reliable backdoor. Affected Versions: More vulnerability details are still being uncovered and we will update this list as additional information is available. Primarily, Linux Kernel (ESP subsystem) since 2017 and the RxRPC subsystem of the Linux Kernel since 2023 are vulnerable. Additionally, these vendors have confirmed that patches are being prepared: Ubuntu Red Hat Enterprise Linux CentOS Stream AlmaLinux Fedora openSUSE Qualys QID Coverage Qualys has released the following QIDs to address the Dirty Frag chain: QID 387289 – Linux Kernel Local Privilege Escalation Vulnerability (Dirty Frag) (CVE-2026-43284) QID 387288 – Linux Kernel Local Privilege Escalation Vulnerability (Dirty Frag) (CVE-2026-43500) QID 944291 – AlmaLinux Security Update for kernel (ALSA-2026:A006) QID 944290 – AlmaLinux Security Update for kernel (ALSA-2026:A005) QID 944287 – AlmaLinux Security Update for kernel-rt (ALSA-2026:A007) The following QIDs are in the final stages of verification and expected to be released soon: QID 6276440 – Debian Security Update for linux (CVE-2026-43284) QID 288685 – Fedora Security Update for kernel (FEDORA-2026-87dc12705e) QID 288684 – Fedora Security Update for kernel (FEDORA-2026-abc00fb4e8) QID 762499 – SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1778-1) QID 6276373 – Debian Security Update for linux (CVE-2026-43500) Qualys customers can also search for this vulnerability by their CVE IDs: CVE-2026-43284 and CVE-2026-43500. Information about additional QIDs pertaining to these CVEs can be found in our Vulnerability Detection Pipeline. Remediate at Scale With TruRisk Eliminate TruRisk Eliminate offers a comprehensive risk reduction solution designed to help security and IT teams proactively address nearly 100% of CISA KEVs and ransomware vulnerabilities. To address these vulnerabilities, leverage Qualys TruRisk Eliminate to: Patch these vulnerabilities, or Apply out-of-the-box mitigations until a patch can be deployed Because these vulnerabilities are Qualys patchable, you should immediately deploy the patches and fix them. Relevant patches were added to the Qualys patch catalog and are ready to be deployed using the Qualys agent.

Indicators of Compromise

• cve — CVE-2026-43284
• cve — CVE-2026-43500

Entities